In at least some circumstances it is desirable to have in a computing machine both a main operating system that controls most processes and devices on the machine, and also a limited-purpose operating system along with the main operating system to perform certain limited tasks, perhaps on behalf of the main operating system. For example, it may be desirable to have as the limited-purpose operating system a trusted operating system that can be trusted to perform certain functions, perhaps on behalf of the main operating system and perhaps with the aid of certain functionality provided by the main operating system.
Such a trusted operating system may be a high-assurance operating system or ‘nexus’ that is intended to provide a high level of assurance as to the behavior thereof. For example, a nexus might be employed to work with confidential or secret information such as cryptographic keys or other sensitive data that should not be disclosed or divulged externally.
As may be appreciated, such a nexus operates in general by employing restricted memory that cannot be viewed externally from the nexus, and may permit only certain applications to execute under the nexus and to access the restricted memory. Fundamentally, the nexus is expected to behave properly and to provide the aforementioned high level of assurance, as opposed to the main operating system, which has no such expectation. Thus, the nexus should not interact with the main operating system in any way that would allow events happening at the main operating system to compromise the behavior of the nexus. In particular, no entity such as a computer virus, a nefarious trespasser, or the like should be able to interfere with the nexus by way of the main operating system.
Assuming the nexus does in fact behave properly and does in fact provide the aforementioned high level of assurance, it is to be appreciated that the nexus can at times be expected to store certain data generated or employed thereby in a data store external to such nexus, where the data store can be expected to be accessible to elements other than the nexus. For example, if the computing machine is a personal computer, the nexus can at times be expected to store certain nexus data in a hard drive, a memory card, or some other memory device for later retrieval. As may be appreciated, the data store is organized according to a file system which typically may be accessed by most any entity, interfering or otherwise. Accordingly, and also typically, such stored nexus data is in an encrypted form and therefore is not subject to being exposed to an interfering entity merely by being stored in the data store.
Nevertheless, an interfering hardware or software entity may still wreak havoc upon the encrypted stored nexus data in the data store merely by deleting or over-writing such data from such store, or in the case of a log file or the like to which data is periodically appended, by deleting or overwriting at least some of the appended data. Accordingly, a need exists for a method and mechanism for preventing an interfering entity from attacking stored nexus data in a data store by deleting or overwriting such data. More generally, a need exists for a method and mechanism for preventing the data store from honoring any command from an interfering entity with respect to stored nexus data therein. Even more generally, a need exists for a method and mechanism for preventing the data store from honoring any command from any entity other than the nexus with respect to stored nexus data therein.